Le lun 09/12/2002 à 02:55, Peter a écrit :
> i am using redhat73 kernel 2.4.18-18.7
> i want to limit number of httpd access per/client
> i use
> # insmod ipt_limit.o
> # iptables -A INPUT -p tcp --syn --dport http -m iplimit --iplimit-above 4 -j REJECT
> then i get error:
> iptables: No chain/target/match by that name
> who can help me
Your syntax is wrong, so RTFM ;)
# iptables -m limit --help
cbr@elendil:~$ sudo iptables -m limit --help
iptables v1.2.7a
[...]
limit v1.2.7a options:
--limit avg max average match rate: default 3/hour
[Packets per second unless followed by
/sec /minute /hour /day postfixes]
--limit-burst number number to match in a burst, default 5
limit match is described in Linux filtering HOWTO you can read on
http://www.netfilter.org/.
By the way, limit match is aimed to match packets that are _under_ the
specified (via --limit argument) limit. If you want to match packets
over the limit, you have to modify you ruleset and introduce a user
chain dedicated to this need until ! --limit is available.
# iptables -A INPUT -p tcp --syn --dport http -j USER_CHAIN
# iptables -A USER_CHAIN -p tcp --syn --dport http \
-m limit --limit 4/s -j RETURN
# iptables -A USER_CHAIN -j REJECT
So you REJECT packets over 4/s limit. There's been a thread on this
topic earlier, you should search list archives.
--
Cédric Blancher <blancher@cartel-securite.fr>
IT systems and networks security expert - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
